Communications & Media Security Policy
Document Number: ISMS-POL-COM-01
Classification: L1 — Policy (Domain)
Version: 0.1.2
Effective Date: March 1, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
1. Purpose
This policy defines the security requirements for external communications and media production — including YouTube content, e-book publishing, social media presence, and public-facing materials — to prevent inadvertent disclosure of confidential information, protect client data, and maintain Cybercraft brand integrity.
Cybercraft operates in dual capacity as both a security consultancy and a content producer (YouTube, e-books). This creates a unique risk: content intended for public audiences may inadvertently expose internal configurations, client data, or security architecture details.
2. Scope
2.1 Applicable Activities
- YouTube video production — tutorials, demonstrations, security awareness content
- E-book writing and publishing — security guides, technical documentation
- Social media — LinkedIn, Twitter/X, and other platforms used for Cybercraft brand promotion
- Blog posts and articles — published on Cybercraft website or third-party platforms
- Conference presentations and webinars
- Client-facing marketing materials
2.2 Applicable Personnel
- All Cybercraft personnel involved in content creation or public communications
- Contractors producing content on behalf of Cybercraft
2.3 Out of Scope
- Internal communications (email, Teams chat) — covered by M365 Workspace & Access Policy (ISMS-POL-M365-01)
- Personal social media accounts (unless representing Cybercraft or discussing Cybercraft business)
3. Screen Capture and Recording Controls
3.1 Corporate Data Exposure Risk
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 5.2 and Section 6:
Content production often involves screen recording or screenshots. When corporate applications are visible, there is a risk of exposing:
- Client names and engagement details visible in Teams channels, email, or project tools
- Internal security configurations — Intune policies, CA rules, Entra ID settings
- Personnel information — email addresses, user lists, role assignments
- Financial data — invoices, contracts, billing information
3.2 Technical Controls
| Control | Platform | Enforcement |
|---|---|---|
| Screenshot/screen recording block within managed apps | Android | MAM policy — enforced (cannot bypass) |
| Screenshot/screen recording block within managed apps | iOS | MAM policy — limited (watermark only; cannot fully prevent) |
| Copy/paste block from managed apps to personal apps | iOS, Android | MAM policy — enforced |
| macOS managed volume isolation | macOS | ADUE — work data on separate APFS volume; however, screen recording of work apps is technically possible on macOS |
Important: On macOS, the ADUE managed volume protects data at rest but does not prevent screen recording. Content creators using macOS must follow the procedural controls in Section 3.3.
3.3 Procedural Controls for Content Production
| Step | Action | Owner |
|---|---|---|
| 1 | Close all corporate applications (Teams, Outlook, Edge with corporate sessions) before starting screen recording | Content Creator |
| 2 | Use a dedicated user profile or browser profile for content production — separate from work profile | Content Creator |
| 3 | Use demo/lab environments for security tool demonstrations — never use production Cybercraft tenant | Content Creator |
| 4 | Review all recordings before publishing — check for notification banners, email previews, Teams messages, or other corporate data leakage | Content Creator |
| 5 | Blur or redact any accidentally captured corporate data before publishing | Content Creator |
4. Content Security Review
4.1 Pre-Publication Review
All public-facing content must be reviewed for security risks before publication:
| Content Type | Review Required | Reviewer |
|---|---|---|
| YouTube videos (security tutorials) | Self-review by creator + spot check by Security Director | Content Creator / Lucas |
| E-books (technical guides) | Full review before publication | Lucas / Richard |
| Blog posts / articles | Self-review by creator | Content Creator |
| Conference presentations | Full review if client data or CC architecture is referenced | Lucas / Richard |
| Social media posts | Self-review — no approval required for general posts | Content Creator |
4.2 Review Checklist
Before publishing any content, verify:
No client names, logos, or engagement details are visible or referenced without explicit client consent
No internal CC tenant configurations are visible (Intune policies, CA rules, user lists, Entra ID settings)
No real email addresses, phone numbers, or personnel details are exposed
No financial information (invoices, pricing, contracts) is visible
Demo environments were used for tool demonstrations — not production
All notification banners and popups in screen recordings have been reviewed and redacted if needed
Content does not inadvertently disclose Cybercraft's security posture or vulnerabilities that could be exploited
5. Public Disclosure Controls
5.1 What May Be Disclosed
- General security best practices and educational content
- Cybercraft's service offerings and capabilities (at a marketing level)
- Industry frameworks and standards (ISO 27001, ACSC Essential Eight) in an educational context
- Anonymised case studies with client consent
5.2 What Must NOT Be Disclosed
- Specific Cybercraft internal security configurations, policies, or architecture details
- Client names, engagement scope, or deliverables without written client consent
- Vulnerability information about Cybercraft or client systems
- Internal communications, meeting notes, or strategic plans
- Personnel salary, contract terms, or personal information
- Any information classified as Confidential under the data classification scheme
5.3 Client Data in Content
- No client data may be used in content production without explicit written consent from the client
- Client consent must specify: what data, in what context, for what audience
- Consent records are maintained by the CEO (Farah) and reviewed annually
6. Brand Protection
6.1 Consistent Representation
- All public-facing content must represent Cybercraft accurately and professionally
- Security claims must be factual and verifiable — do not overstate Cybercraft's certifications or capabilities
- When discussing Cybercraft's ISO 27001 alignment, use precise language: "designed to align with ISO 27001" (not "ISO 27001 certified") unless formal certification has been achieved
6.2 Incident Response for Public Content
If confidential information is inadvertently published:
| Step | Action | Owner | Timeline |
|---|---|---|---|
| 1 | Immediately remove the content from the public platform (unlist/delete video, retract post) | Content Creator | Immediately upon discovery |
| 2 | Notify Security Director | Content Creator | Within 1 hour |
| 3 | Assess exposure: What data? How long was it public? Who may have seen it? | Lucas | Within 24 hours |
| 4 | If client data was exposed: Notify client and escalate to CISO | Lucas → Richard → Farah | Within 24 hours |
| 5 | Document in Incident Register | Lucas | Within 72 hours |
7. Email-Based Information Transfer Controls
7.1 Scope
This section governs the use of email (Outlook) as a channel for transferring information — particularly Confidential data — to external parties. Internal email communications within the M365 tenant are governed by M365 Workspace & Access Policy (ISMS-POL-M365-01).
7.2 Permitted Use
- General classification data: May be sent to external recipients via Outlook without additional approval
- Internal classification data: May be sent to external recipients when there is a documented business justification
- Confidential classification data: Requires Security Director approval before sending. For ongoing collaboration, use the Teams-based Confidential External Sharing procedure (M365 Workspace Operations Procedure, ISMS-PROC-M365-01 §4) instead of email.
7.3 Controls
| Control | Requirement | Enforcement | |
|---|---|---|---|
| Confidentiality notice | Emails containing Confidential data must include an appropriate confidentiality disclaimer | Policy-enforced (Outlook signature template recommended) | |
| Attachment review | Sender must verify no unintended Confidential content is included in attachments | Policy-enforced (sender responsibility) | |
| Recipient verification | Sender must confirm recipient email address before sending Confidential data | Policy-enforced (Outlook MailTips where available) | |
| Encryption | Confidential attachments should use password protection or M365 Message Encryption when the recipient supports it | Policy-enforced; M365 Message Encryption available for Premium licence holders |
7.4 Prohibited
- Sending Confidential data to personal email addresses (e.g., Gmail, Yahoo)
- Auto-forwarding corporate email to external accounts
- Using email as the primary channel for ongoing Confidential data collaboration (use Teams-based procedure instead)
Cross-reference: For the Confidential External Sharing 5-step procedure via Teams, see M365 Workspace Operations Procedure (ISMS-PROC-M365-01) §4. For data classification definitions, see M365 Workspace & Access Policy (ISMS-POL-M365-01) §3.
8. Content Production on BYOD Devices
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 6.1 and 6.2:
When content is produced on personal devices enrolled in BYOD:
- The work domain (managed volume / Work Profile) is logically isolated from the personal domain
- Content production tools (video editors, screen recorders) run in the personal domain and cannot directly access work data
- However, screen recording on macOS can capture work application windows if they are open — this is the primary residual risk
- Content creators must follow the procedural controls in Section 3.3 to mitigate this risk
9. Roles and Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| CEO | Farah | Brand direction, client consent management, public communications authority, marketing oversight |
| CISO | Richard | Policy approval, content security review for high-risk publications, incident escalation |
| Security Director | Lucas | Policy maintenance, content security spot checks, demo environment management, incident response for content-related breaches |
| Content Creator | Designated personnel | Follow procedural controls, self-review before publication, immediate removal if confidential data is exposed |
10. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.10 | Acceptable use of information and assets | Section 3 (Screen capture controls) + Section 5 (Public disclosure controls) |
| A.5.14 | Information transfer | Section 5 (Public disclosure) + Section 7 (Email-based information transfer controls) |
| A.5.34 | Privacy and protection of PII | Section 4.2 (Review checklist — no personnel details exposed) + Section 5.3 (Client data consent) |
| A.6.8 | Information security event reporting | Section 6.2 (Incident response for inadvertent publication) |
11. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — screen capture controls, content security review, public disclosure controls, brand protection. Incorporates media-related elements from BYOD Security Policy. |
| 0.1.1 | 2026-02-20 | Lucas Shin | Updated cross-reference document numbers to reflect new L2 policy numbering scheme. |
| 0.1.2 | 2026-03-01 | Lucas Shin | Added §7 Email-Based Information Transfer Controls — Confidential data email transfer rules, encryption requirements, prohibited practices. Cross-references to ISMS-PROC-M365-01 §4 and ISMS-POL-M365-01 §3. Renumbered §7→§8 through §10→§11. Updated A.5.14 compliance mapping. Phase 2-5 ISMS 문서 매핑. |
Review Schedule
- Quarterly: Content security spot check, review of published content for compliance
- Annually: Full policy review, content production workflow assessment
- Ad-hoc: After content-related security incidents, new content platform adoption, or client consent changes
[End of Policy Document]